Jump to content
Welcome to our new Citrix community!

ADC Split Tunnel not working after implement Intranet IP pool


Recommended Posts

Hi Expert,

 

I need your help to fix split tunneling issue in our ADC MPX appliance that is started after configure IP pool network for AAA user. 

 

We have three session policy. 

1) VPN - Priority 90 -  Split tunnel ON - Default Authorization - Allow

2) Receiver Self-Service - Priority 100 

3) Receiver for Web - Priority 110

 

On Virtual Gateway we have configured intranet application my internal subnet. 

Bond AAA user - Intranet IP and Intranet application specific IP.

 

The problem was started after enabling Intranet IP for AAA users and all VPN traffic going across the tunnel. 

 

Link to comment
Share on other sites

The above sounds like you are doing both vpn and ica proxy.  But for the sake of troubleshooting, split tunnel and intranet ip are vpn functions only.  If you are also having ica proxy issues, I would troubleshoot those separately and focus on the vpn behavior first. (IF I misunderstood the settings, feel free to clarify.)

 

First, split tunnel requires that the correct intranet apps are defined to identify the destination networks to intercept and direct to the vpn (everything else is ignored and handled by local client networking).  This also requires proper authorization policies to allow access to the destination networks.  IF your vpn works with split tunnel and without intranet ips defined, then its likely your intranet apps and authorization policies are correct, but good to double check and look in syslog for unexpected deny messages.

 

Next, with intranet Ips, a pool of ips is bound to either the vpn vserver or the aaa group and then IPs are allocated to the vpn sessions. For this to work the intranet IPs must be valid IPs on the backend network and routable.  If part of an existing network be sure these IPs are not in conflict with DHCP or other IPS actually in use.  Most common mistake with intranet IPs is people using a "new" network that is not recognized or routable on the backend and it results in network issues.

 

So, run a trace and determine if entities on the backend could reach the intranet Ips (as if it was a server in the dmz) on the ADC and if an entity (like a server) was assigned one of your intranet IPs in the DMZ could it actually reach internal resources.  Routes/Firewall rules/ACLS could all be a factor, in addition to authorization policies on the ADC.

 

Finally, it would help to show your actual session policy and ensure that 1) you actually do have the correct pool of intranet IPs associated to vpn vserver or group.  And that the session profile properly ENABLES the use of intranet IPS.

 

Last thing I can think of is that this statement is confusing:

2 hours ago, Ilyas Ahmed1709160958 said:

On Virtual Gateway we have configured intranet application my internal subnet. 

Bond AAA user - Intranet IP and Intranet application specific IP.

 

It sounds like your mapping a specific Intranet IP per user (which if fine if you don't want it allocating one from the pool, but is a lot more work); What doesn't make sense is that you say you have one intranet application per user.  Intranet apps are the allowed networks to tunnel through (for split tunnel). NOrmally would be assigned per vpn vserver and not per user but would also represent a network and not a single destination IP (unless you are trying to do a point to point to connection; which again, is a bit more work and could have some issues...there are much easier ways to do this through a broad intranet app and then narrow authorization policies.)

 

Otherwise, the intranet app may be improperly configured (hard to tell from the description).  OR you are missing intermediate ips like vips the client also needs to reach through the vpn tunnel. 

 

Either way, check syslog and run some traces to confirm.

 

If you can clarify anything about your actual scenario it should help others troubleshoot with you.  But be sure your use case for your intranet apps and intranet ips makes sense.

 

 

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...